Hash: SHA256

On Thu, Oct 13, 2016 at 02:21:24PM +0000, Manuel Amador (Rudd-O) wrote:
> On 10/12/2016 10:16 PM, Marek Marczykowski-Górecki wrote:
> > Hi,
> >
> > [...packagin 3rd party software...]
> > Any thoughts?
> I think it depends on whether the 3rd party software is meant to be
> upstreamed into Qubes OS.
> For example, in the case of my tools, I would like them to be
> upstreamed, therefore the ideal thing to do would be to incorporate them
> into the QubesOS Github org, and then add them as extra sources in the
> builder.  That requires, of course, that Qubes OS the project provide a
> proper process for vetting for upstreaming, and upstreaming vetted
> software.  Ultimately the Qubes OS devs end up controlling that
> software, and the future contribution process is simply based on pull
> requests.

This is generally a good idea, but I'm afraid some social effect: this
may look like taking the software away from the original author, taking
the credit for it. But on the other hand, the repository still will have
commit history, and "forked from ..." reference.

Andrew, any though on this aspect?

> For software that isn't meant to be upstreamed, but should be
> installable, it would be great if there was a separate qubes-contrib
> repo where people with cool Qubes extensions can upload packages —
> again, following a review process, ideally based on diffs of source
> RPMs, which only accepts SRPMS that were signed by their original
> submitters — prior to them getting signed by the folks in charge of the
> qubes-contrib repo.  This would provide a distribution channel for those
> packages.  This is tricky though, because we are betting on the people
> in charge of the repo (and building / signing the packages) to catch
> potential malicious software being submitted.  Effectively we need a
> queue submitter -> new, signed SRPM up for review -> reviewer looks at
> diff between last published SRPM and this incoming SRPM -> reviewer
> approves -> builder builds -> built SRPM and RPMs -> reviewer does Q/A
> on built products -> reviewer signs -> reviewer pushes to
> qubes-contrib.  This of course needs to be 100% fully automated.

This is nice idea, but for much larger scale. Writing/adopting such tool
(do you know anything like this?) alone require a lot of work. I think
it worth doing this, when just reviewing the submissions will become
full time job. On the other hand, I'd very like have such active Qubes
OS community ;)

> And, of course, both options are labor-intensive.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
Version: GnuPG v2


You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to